ouadhi commented on issue #13806:
URL: https://github.com/apache/superset/issues/13806#issuecomment-812028277
hi @srinify , it works perfectly now ,
first , i add flask-oidc==1.3.0 in requirement.test
in docker/pythonpath_dev create file kyecloack_securtiy_manager.py and
add this code
```python
rom flask_appbuilder.security.manager import AUTH_OID
from superset.security import SupersetSecurityManager
from flask_oidc import OpenIDConnect
from flask_appbuilder.security.views import AuthOIDView
from flask_login import login_user
from urllib.parse import quote
from flask_appbuilder.views import ModelView, SimpleFormView, expose
import logging
class OIDCSecurityManager(SupersetSecurityManager):
def __init__(self, appbuilder):
super(OIDCSecurityManager, self).__init__(appbuilder)
if self.auth_type == AUTH_OID:
self.oid = OpenIDConnect(self.appbuilder.get_app)
self.authoidview = AuthOIDCView
class AuthOIDCView(AuthOIDView):
@expose('/login/', methods=['GET', 'POST'])
def login(self, flag=True):
sm = self.appbuilder.sm
oidc = sm.oid
@self.appbuilder.sm.oid.require_login
def handle_login():
user = sm.auth_user_oid(oidc.user_getfield('email'))
if user is None:
info = oidc.user_getinfo(['preferred_username',
'given_name', 'family_name', 'email'])
user = sm.add_user(info.get('preferred_username'),
info.get('given_name'), info.get('family_name'),
info.get('email'), sm.find_role('Gamma'))
login_user(user, remember=False)
return redirect(self.appbuilder.get_url_for_index)
return handle_login()
@expose('/logout/', methods=['GET', 'POST'])
def logout(self):
oidc = self.appbuilder.sm.oid
oidc.logout()
super(AuthOIDCView, self).logout()
redirect_url = request.url_root.strip('/') +
self.appbuilder.get_url_for_login
return redirect(
oidc.client_secrets.get('issuer') +
'/protocol/openid-connect/logout?redirect_uri=' + quote(redirect_url))
```
create another json file "client_secret.json" contains keycloack
configuration
```json
{
"web": {
"issuer": "http://keyclaokdomain/auth/realms/<realmName>",
"auth_uri":
"http://keyclaokdomain/auth/realms/<realmName>/protocol/openid-connect/auth",
"client_id": "<ClientID>",
"client_secret": "<Client Secret>",
"redirect_uris": [
"http://domaineApp/*";
],
"userinfo_uri":
"http://keyclaokdomain/auth/realms/<realmName>/protocol/openid-connect/userinfo",
"token_uri":
"http://keyclaokdomain/auth/realms/<realmName>/protocol/openid-connect/token",
"token_introspection_uri":
"http://keyclaokdomain/auth/realms/<realmName>/protocol/openid-connect/token/introspect"
}
}
```
finally in superset_config.py add lines
```python
from kyecloack_securtiy_manager import OIDCSecurityManager
from flask_appbuilder.security.manager import AUTH_OID, AUTH_REMOTE_USER,
AUTH_DB, AUTH_LDAP, AUTH_OAUTH
import os
'''
---------------------------KEYCLOACK ----------------------------
'''
curr = os.path.abspath(os.getcwd())
AUTH_TYPE = AUTH_OID
SECRET_KEY: 'SomethingNotEntirelySecret'
OIDC_CLIENT_SECRETS = curr + '/pythonpath/client_secret.json'
OIDC_ID_TOKEN_COOKIE_SECURE = False
OIDC_REQUIRE_VERIFIED_EMAIL = False
OIDC_OPENID_REALM: 'realm1'
OIDC_INTROSPECTION_AUTH_METHOD: 'client_secret_post'
CUSTOM_SECURITY_MANAGER = OIDCSecurityManager
AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = 'Gamma'
'''
--------------------------------------------------------------
'''
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
